How secure is Pokémon GO actually

During the past couple of weeks, this new old game has swept the world. The Pokémon GO craze has probably reached every single person with a smartphone and an internet connection around the globe. The app is developed by Niantic Labs who teamed up with Nintendo, the publisher of the original Nintendo game. In the 90’s, Pokémon became a huge franchise offering GameBoy games, trading card games, toys, comic books, animated TV shows, and even movies, and it current revival seems to have inherited that success.

Today, Pokémon GO captures not only the attention of Millennials who remember its predecessor but of kids and teens and anyone in-between – and does so at a rate that is quite astounding even in an age when things become viral online on a regular basis. But why did it explode and managed to outrun an app like Tinder? What is so special about it that the appeal of virtual creatures and Pokémon battles outweigh the promise of casual sex offered by Tinder?

First off, the app is free and easy to install and use (keep in mind that there are in-app purchases, though). You download it, give the publisher access to all of your digital data, select and avatar and you are good to go. Wait, did we just say you give Niantic Labs access to all of your online data?! We’ll circle back to that, so bear with us.

Photo: brar_j on Flickr

Then there is the physical activity element – the game prompts players to go out and explore the area in search of rare Pokémon and rewards for walking a certain distance for example. The app combines the intrinsic human laziness (quite often manifested by playing video games on the couch) and the strive to live healthy and exercise, which is appealing to people of any age, location or background.

But what we think is the strongest trait that drives people to Pokémon GO is the technological innovation: the game makes augmented reality accessible to anyone, and literally turns the real world into a giant digital playground, where players can enjoy one gigantic, shared adventure.

All this gets people to talk about the app, which drives them to install the game, so even more people talk about the app – so it is no surprise that Pokémon GO has kept its first position in the Apple store in the US ever since its launch.

On top of this, users would spend about 30% more time walking around in search of Pokémon than they would spend on Facebook. Facebook! The social media channel has been dethroned as the ultimate bottomless pit for our time and productivity as people have literally gone crazy about hunting the game’s weird animated creatures. So crazy, in fact, that the majority of Pokémon GO players seem to ignore the red light about the app’s vulnerability when it comes to cybersecurity.

Pokémon GO-Get-My-Data and other security risks

When Niantic Lab first launched the application in the Apple and Google Play stores, it gave users the choice to log in either with Google+, or with a designated Pokémon Trainers club accounts. The latter were a hassle to get, plus humankind likes things easy, so the majority of Pokémon hunters opted for a Google+ login, unknowingly giving the app full-access permission. This means that, as security analyst Adam Reeve sums up, that Niantic can:

Read all your email;

Send email as you;

Access all your Google Drive documents (including deleting them);

Look at your search history and your Maps navigation history;

Access any private photos you may store in Google Photos;

And a whole lot more.

Uh-oh. We don’t know about you, but at pCloud HQ, we are quite concerned about privacy and our security online (point in case: pCloud Crypto). We most certainly wouldn’t want a game app to be able to email instead of us, access any photos of ours, or delete any of the documents we keep in the cloud (we don’t use Google Drive for obvious reasons but it’s the principle).

Apparently, it’s not just us who feel that way and that forced Niantic to issue a statement:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

The client-side fix was introduced with an update from July 13, and the release notes on the issue were brief: “Fixed Google account scope.”

Nonetheless, the Pokémon GO app remains a security threat. David Kennedy, founder and Chief Hacking Officer of the US-based company Binary Defense Systems, claims that even with the Google+ login issue handled, the game is still a lucrative target for hackers looking to dip their hands into a tasty jar of personal data. “Let’s say I hacked into that application,” says Kennedy. “I would now have access to everyone who installed it, their Gmail accounts and everything else,” he adds.

Along with hacking attacks and malware, the game poses one more unexpected risk: people wandering off to restricted areas as the game doesn’t recognize these. The search for Pokémon recently lead a French citizen into an Indonesian military base; the incident prompted government officials in Jakarta to call the game a threat to national security. Government agencies of other countries such as Egypt, Kuwait, The United Arab Emirates and even the USA are also alert of and investigating the possible security implications of the Pokémon GO app.

Your data is their data

And as if hack attacks, malware vulnerabilities and human stupidity were not enough to make you really think before installing the game, there comes Niantic Lab’s privacy policy, which states that the publisher may share user’s information with third parties who “may not have agreed to abide by the terms of this Privacy Policy.”

Who these third parties may be remains a mystery but we are fairly certain that they will be paying advertisers. Of course, advertising is not the only revenue stream for Niantic – game allows for in-app purchases of Poke balls, lures and other items supposed to make hunters’ quests for Pokémon easier, and the wearables market is not lagging behind either.

And while sponsored locations are not yet launched, entrepreneurial people and establishments are making a buck off the game craze – restaurants are luring Pokémon to lure clients, taxi drivers are helping riders hunt the animated creatures, and so on. It would appear that businesses will do their best to monetize the Pokémon obsession as well as they could, whether by purchasing virtual ad space in the real world, by buying business intelligence data and insight, or simply by driving people around so they can catch’em all.